6.805/STS085: How countries handle computer crime

By Michael W. Kim

Paper for MIT 6.805/STS085: Ethics and Law on the Electronic Frontier, Fall
1997

Introduction

In 1986, the passage of the Electronic Communication Privacy Act
marked the first time that a major piece of legislation had
specifically been passed to mandate restrictions on the use of
computers. It was a historic moment, not only for the United States,
but for the entire world, as it was the first time any governmental
authority had done anything to try to contain what we now know as the
Internet. This was only the beginning. In the ensuing years after the
passage of the ECPA, many federal agencies from the FBI and Secret
Service began to enforce this and other pieces of legislation, trying
to crack down on this new wave of computer crime. Without direction
from legislative bodies, however, and lacking precedent from previous
cases, both the FBI and Secret Service were unclear as to their
jurisdiction, and, as in previous expansions of federal power,
proceeded with aggressive prosecutions in attempts to "stake their
claim." Instead of culminating in strong legal precedents, however,
that would send a message to computer users everywhere, their efforts
ended up in the Robert Morris Internet Worm and Steve Jackson Games
cases. Two cases that were tenuous at best in setting any strong legal
precedents.

Since these early fiascos, however, much has been written and done to
improve the viability of electronic law enforcement. The FBI now has a
network of computer crime squads. The Justice Department has set up a
set of guidelines outlining procedures for seizing and searching
computers. Even the general US population as a whole is now more
educated about computer crime, and many generally know what to do in
order to protect themselves.

What is lost in this legal sea, however, is that the Internet, as well
as Internet crime, extends far beyond the borders of the United
States. According to InterGov International, 39 percent of Internet
traffic is generated outside of the United States. In addition, a 1991
United Nations Commission on Crime and Criminal Justice study
concluded that in survey of 3000 Virtual Address Extensions sites in
dozens of countries, over 72 percent reported a security incident
within the last 12 months. Clearly, law enforcement on the electronic
frontier is not just an American problem.

Although the nature of the Internet is that its content and influence
extend far beyond a nations borders, it is clear that as of yet, law
enforcement can not and does not. Hence, a responsibility has been put
on every national government to police its own section of the Internet
that more or less happens to fall onto their soil. In the ensuing
paragraphs, I will attempt to explain legal measures being taken by
several nations in their efforts to curb Internet abuses and computer
crime within their sovereign jurisdiction. Some countries have reacted
quickly and legislated stringent standards. Others have been more lax
in their response, or simply do not care to enforce this additional
legislation. Whatever the case, however, it is clear that in order to
effectively curb computer crime in the future, international
cooperation of some kind will be required in order to provide
boundaries to this otherwise infinite universe.

United Kingdom

On June 4, 1993, Neil Woods and Karl Strickland, citizens of the
United Kingdom, became the first two people to be convicted and
sentenced for violating the criminal conspiracy provision of the
British Computer Misuse Act of 1990. It marked the first time that any
successful action had been taken, in the United Kingdom or the
Continent, to curb what had previously been seen as an uncontrollable
virus of computer hacking in Europe. After all, British citizens had
been bombarded for years with reports of the exploits of such groups
as the Computer Chaos Club, and other minor hackers. This point was
not lost from the prospective of the British government, who badly
needed this legal victory.

The names of Woods and Strickland, better known as Pad and Gandalf,
had been known by many across Europe for some time as a duo of
extremely adept and dangerous hackers. Easily penetrating computer
systems in fifteen different countries, Woods and Strickland had been
responsible for many hacks including exposing the gaudy expense
accounts of European Community President Jacques Delor, entering and
bringing down a good part of Sweden's telephone network, and pilfering
the confidential financial records of S.G. Warburg, the leading banker
in London.

What made this conviction especially important, however, was the case
of Paul Bedworth which, just a few months before, had ended in
acquittal. At 14 years old, Bedworth's mother had furnished him with a
$400 computer for a birthday present, which he then proceeded to use
over the next five years to break into supposedly secure systems
ranging from the White House to the Tokyo Zoo. After his capture and
subsequent trial on the charge of criminal conspiracy under the
Computer Misuse Act, a conviction appeared like a certainty, as
Bedworth did not deny his hacking exploits, and did not offer any
evidence in his defense other than to say he had a "pathological
obsession" with computers. Most devastatingly to prosecutors, however,
a jury of eleven, eight men and three women, voted unanimously to
acquitt Bedworth, despite the fact that there had been evidence
presented from the collaboration of eight different British police
forces, as well as several overseas governments including Singapore
and India. Many had feared the Bedworth case had permanently taken the
teeth out of the Computer Misuse Act, essentially freeing hackers
everywhere to roam as they pleased and claim addiction to this
"disease." However, their fears were somewhat quelled by the
convictions of Wood and Strickland, who will surely serve as
precedents and examples for the near future.

There are basically two acts relating top computer usage that have
been passed by the British government. They are the Data Protection
Act of 1984, and the Computer Misuse Act of 1990. The first act
generally deals with the actual procurement and use of personal data,
while the second act defines the laws, procedures, and penalties
surrounding unauthorized entry into computers. The next two paragraphs
will go into more detail as to what exactly these two pieces of
legislation encompass.

The Data Protection Act of 1984 is divided into eight basic
principles. The first deals with procurement of data, and generally
outlines ways in which data may be processed fairly and lawfully. The
next principle deals with the possession of data, and that it should
only be held in a specified and lawful manner for a specific
purpose. The third item states that data will not used or disclosed
for anything other than its intended purpose. The fourth says that
once that purpose is finished, is should be disposed of immediately
and properly. The following two principles mandate the integrity of
the data, stating that it should remain relevant and viable for its
intended purpose, and should be kept accurate and up to date at all
times. Finally, the last two points deal with the actual ownership of
data, saying that it is up to the data user to maintain their own data
and make sure adequate security measures are in place to prevent its
unauthorized access, alteration, disclosure, or destruction. This act
looked very peculiar at the time of its passage, and continues to
today, because it seems to place the blame of hacking on the victim,
and not on the aggressor. In otherwords, if a person hacks into ones
computers, the computer owner is liable for not effectively defending
their own computer from attacks.

As a result of the Data Protection Act's curious bestowment of
security burden on the victim, in 1990, Parliament passed the Computer
Misuse Act to supersede many of the provisions of the 1984 act. The
act grew out of public outrage over the growing proliferation of
destructive hackers, and resulted in a very tough piece of
legislation. Its most significant components were the first three of
eighteen sections, which effectively shifted the blame and
responsibility of unauthorized access from the attacked to the
attacker. Not only did it criminalize expected actions such as
unauthorized access, modification, and destruction of material, but it
also removed the burden of intent in order to find someone guilty
under the act. In other words, someone who succeeded in accessing an
unauthorized computer, even if he had no explicit intent of doing so,
could be convicted under the act. The next six sections defined the
jurisdiction of the act, and it was made broad enough to include
prosecuting actions on British soil, at British soil, as well as the
procedures for the proper prosecution of conviction of non-British
citizens. The remaining sections dealt with the enforcement aspects of
the legislation, outlining procedures for trial, search warrants,
extradition, and what to do in case proceedings were held in either
Scotland or Northern Ireland, who maintain their own separate court
systems.

Following the convictions of Wood and Strickland, prosecutions of
hackers grew in number as more and more of them were brought to Her
Majesty's Royal Court. In 1997, Richard Pryce, 19 of Holburn, England,
plead guilty to twelve counts of gaining unauthorized access to
computers, including those of the United States Air Force. He was
caught when he was sixteen years old by the Computer Crime Unit of the
New Scotland Yard, who had received a tip from none other than the
United States Air Force. Owing to the non-malicious nature of the
intrusion, and the three year disruption to his musical career, the
magistrate decided Pryce had suffered enough, gave him a stiff fine,
and sent him on his way. In 1995 at Exeter Crown Court, Christopher
Pile, also known as the "Black Baron," was sentenced to 18 months in
prison for violating section 3 of the Computer Misuse
Act. Specifically, he was charged with unauthorized access,
unauthorized modifications, and inciting people to spread viruses. He
was the first person convicted under section 3 of the act.

Despite its seeming successes, Scotland Yard, however, has not been as
lucky. In 1996, a phone phreaker or a hacker broke into Scotland
Yard's PABX (Private Automatic Branch Exchange) and racked up one
million pounds worth of long distance phone calls before the scam
could be stopped. Despite the fact that public network had been
electronically "sealed" from hacking years before, authorities
admitted that the PABX continued to be the weak link in the electronic
information chain. Aside from being expensive and embarrassing,
Scotland Yard still has no option but to blame themselves, for the
nintruder or intruders have been rigorously pursued, but as of yet
still have not been caught. Hackers like these are costing Britain
alone almost $1.54 billion a year.

Canada

In October of 1992, the North York Metro Police Department arrested a
15 year old boy who was attending school, raided his home, and
confiscated two computers. According to BellCanada and Metro police,
the young individual in hand was the notorious 911 dialer that had
periodically clogged up the 911 lines for the entire Toronto area,
severely hampering emergency services. Apparently, the youth had
dialed into the 911 service by illegally breaking into the phone
system, rerouting the call through several United States systems,
before finally reentering the Toronto area. When arrested, he was
charged with theft of telecommunications, 24 counts of mischief, and
10 counts of conveying false messages. What startled authorities,
however, was not the crime itself, but the degree of complexity with
which the youth had carried it out. It sent a message to Canadian
authorities everywhere that computer crime can be committed by anyone,
and must be rigorously prosecuted.

Besides being our geographical neighbor to the north, Canada's
proximity and economic integration with the United States has created
a computer network and Internet community very dependent to
ours. Along with this technology, however, has also come computer
crime both from United States, as well as from within. To Canada's
credit, they have watched very closely the proliferation of computer
crime in their neighbor south of the border, and have wasted no time
in implementing legislative action to correct such measures. That,
along with a well defined enforcement and command structure has given
Canada an almost unmatched success rate in dealing with hackers. Some
of their success stories include the apprehension of such notorious
hackers as Darkman, Coaxial Karma, and SubHuman Punisher.

As stated before, the Canadian government has been very aggressive and
unashamed in implementing computer crime legislation. There are
basically two section in the Canadian criminal code, sections 342.1
and 430 that deal the most with computer crime. Section 342.1 is
itself divided into two parts. The first part deals with most of the
items that would traditionally be considered computer crime. It
defines unlawful entry into systems, interception of transmissions, as
well as mandating a harsh ten year prison sentence for violation of
these laws. The second part defines data or computer programs, to give
written documentation as to what kind of materials would qualify under
the statute. Section 430 criminalizes the actual destruction,
alteration, or interruption of data or data transmission. It does not
set specific sentences, but one can assume they would be similar in
nature to section 342.1. Other related codes that more generally refer
to the misuse of telecommunications include section 184, the unlawful
interception of telecommunications, section 326, theft of
telecommunications, and section 327, possession of device to intercept
telecommunications. I found that in cases of hacker prosecutions,
telecommunications theft was often charged in conjunction with the
other statutes.

The item, however, that truly distinguishes the Canadian government
from all others who try to enforce computer crime laws is the clear
definition of a jurisdictional boundary for computer crime. All
sections pertaining to such events fall under the mandate of the Royal
Canadian Mountain Police (RCMP), and specifically the Information
Technology Security Branch (ITSB). This body, in consultation with the
Treasury Board Secretariat (TSB) and Communications Security
Establishment (CSE), are responsible for the information technology
security of all of Canada. Their primary role is to educate the
government on security matters, running seminars, printing document,
and providing consultation, however, they are also tasked with working
with local law enforcement officials to crack down on computer
crime. The ITSB itself is broken up into three branches. The Security
Evaluation and Inspection Team's (SEIT) primary function is to set up,
secure, and be a consulting organization for any computers and
networks set up by the government of Canada. The Computer
Investigative Support Unit (CISU) is the legal branch of the
RCMP. They provide legal counsel, acquire warrants, and direct the
prosecution of computer criminals. Finally, the Counter Technical
Intrusion Unit (CTIU) is responsible for performing periodic sweeps of
governmental computer systems, assisting local police, and performing
technical evaluations in cases of theft of communication. As one can
see, with the defined layout and organizational structure written
above, its no wonder that hackers consider Canada a difficult hack,
although there are many that will always be up to the challenge.

In just one measure of a Canada's success in their war on electronic
crime, it is estimated that of the $3 billion to $4 billion lost in
North America due to telecommunications theft, only $100 million, or
about 3%occurred in Canada. This despite the fact that Canada accounts
for approximately 8% of the North American population, and a much
greater proportion of its electronic traffic. In telecommunications
conference held in Toronto, a group called the Stentor alliance
attributed this success to the cooperative atmosphere, in fighting
computer crime, that exists between government, law enforcement, and
industry. Maybe it is conceivable that the United States should import
another product from their northern neighbor, other than hockey.

Italy

On September 8, 1994, hundreds of customs inspectors from the Guardia
di Finanza (the finance police) unleashed a massive operation, called
"hardware1." This operation, which seemed to materialize without logic
or warning, was carried out on a nationwide scale as anywhere from 50
to 100 bulletin boards were shut down, and all hardware and software
were confiscated. Many operators, understandingly, were taken aback as
they were charged with everything from cooperating with the Mafia, to
selling pirated software and CD-ROMs. Later, the chief prosecutor
Parodi from the city of Turin explained the raids, saying that they
had launched such an operation against BBSes because it had come to
their attention that these "telecom pirates" were using their BBSes to
connect with similar American boards, download pirated software, copy
them, and sell them on the black market. In addition, he said that the
finance police had uncovered evidence of a loose confederation of
these BBS operators who were trafficking data between themselves in
order further their profits. On face, it seemed like the Italian
government had acted prudently and efficiently to save legitimate
software manufacturers billions of dollars in revenue. The reality is
quite different story.

To begin however, allow me to present the legal background in Italy,
for laws involving computer crime. In the Operation Hardware1, Italian
officials cited several parts of the Italian as well as European
Economic Community (EEC) Code to justify their actions. Specifically,
they cited EEC proposal 250/91, which establishes the integrity of
copyrighted software, Italian Code section 518/92, which establishes
penalties against selling pirated software and evading taxes on those
items, and Italian Code section 633/41, which also protects
copyrighted software. Although those were the laws invoked in the
raids, they do not form the heart of Italian computer crime law, which
is actually quite extensive. All legislation of that type is contained
within Italian Code section 547, which was passed as part of a larger
bill in December of 1993. There were basically twelve points in the
bill. Four of the points deal with the possession, alteration, or
destruction of data or computer systems. The last of those carried a
maximum penalty of one million liars and recommendations for action by
the plaintiff. Another four set penalties for unauthorized or pirated
access into systems and subsequent interception of communications,
which carry a maximum sentence of six years. The last four points were
more diverse in nature. One makes it a crime to forge an electronic
transmission. Another forbids the diffusion of computer viruses into
the network. The third makes illegal the possession of devices to
intercept or disrupt communications. The final point is probably the
most intriguing, as it sets rather harsh penalties for disclosure of
information to another without good cause.

Back to the Operation Hardware1 of 1994, despite the benevolent and
seemingly legal nature of the operation, the Italian government had,
apparently, once again lived up to its good name as a country who had
problems when it came to government. Although the prosecutors were
backed by the criminal code, it was difficult to justify their actions
on only those grounds, because had copyright violations really been a
problem, crackdowns would have occurred in the music and videotape
industry as well. However, those raids never came. Thus, a multitude
of theories swirled around as to why the raids occurred, and no is
quite sure which one is correct. Of the those dozens of theories,
three in particular were taken seriously into consideration by those
who followed the Italian BBS scene.

The first one was that after the recent prosecutions of the Mafia,
prosecutors were getting bored and decided to go after what they
considered a "high profile story." As computers were leading edge, and
as of yet not well understood, technology, it would be perfect way for
the government to strike something the public did not exactly
understand. One of many holes in this story, however, is that it would
have required massive amounts of under the table communications which
seemed unlikely.

Another theory was that the Italian government was acting, at the
behest of the telecommunications industry, to clear out small BBS
operators so they could move in with their massive communications
networks and take over the Italian net. The flaw in this theory is
that BBS users were generally private people with a small group of
users, and that the communications giants would have been relatively
unaffected had they chosen to begin a massive marketing campaign with
or without the BBSes.

The final, and most intriguing theory, is one that goes back to the
past Italian election. Following corruption scandals that basically
decimated the ranks of the centrist Christian Democrat and Socialist
parties, a power vacuum emerged that allowed the election of media
mogule Silvio Berlusconi's right wing party. Although not fascist
himself, Berlusconi gave prominent seats in his cabinet to the Alianza
Nationale, the neo-fascist party, in order to form a government. It
was then these fascists who orchestrated Operation Hardware1, as it
was clear a disproportionate share of the BBSes hit were left leaning
services, including Peacelink, a non-profit BBS which was brought down
three weeks after the initial raids when they criticized the
Berlusconi government. Because Berlusconi owned a good portion of
Italian media, little was reported of these facts. Although carried
out in the name of computer justice, the actions of the government
were little more than a political suppression. This interpretation was
further justified in 1995, when the Bits Against the Empire BBS, a
node of the Italian Cybernet computer network was shut down because
its efforts at free expression and counter-information were a threat
to the democratic order. They were charged with subversive
association with terrorist intent, although the outcome of the case is
not certain.

Besides this operation and the laws on the books, little other
movements have been seen in enforcing Italian computer crime
legislation. One case in point is in 1994, police officials learned of
the existence of a Virus Creation Laboratory (VCL) in Italian
servers. Cracked by the Data Processing Crime Section of the Italian
police, an investigation was launched into finding the origin of this
virus "factory." Yet, despite the fact that the program was traced
back to a Bulgarian data bank, no charges were filed and no arrests
were made. With its already colored history, it will be interesting to
see what Italian computer crime will look like in the future.

Australia

A book called "Underground" by Suelette Dreyfus details the true story
about an Australian computer underground group who wrecked havoc for
over a decade on the Internet. They hacked into supposedly secure
computer systems such as Citibank, the Pentagon, NATO, the FT 100,
NASA, Lockheed-Martin, Deutsche Telekom, and Australian Telecom, as
well as the Defence Data Network's NIC, one of the backbones of the
Internet. It was only after raids by the Australian Federal Police and
the police agencies of other countries that this group was finally
brought down.(11) Today, these hackers based in Australia are known as
Data King, Pheonix, Electron, and Nom. They were arrested, and brought
to trial under the Australian Criminal Code provisions passed in the
Telecommunications Act of 1991, which outlined much of the laws
surrounding computer crime in Australia.

The Telecommunications Act of 1991 basically added sections 74 and 76
to the Australian Criminal Code. Section 74 outlines the definitions
of carrier and data, so that they may be used in subsequent sections
of the code. It also went on to specify what was considered a carrier
and data belonging to the Commonwealth of Australia, encompassing
everything from data that originates in Commonwealth computers, as
well as data that leaves Commonwealth computers. Section 76B-1 makes a
crime any unauthorized access to a Commonwealth computer
system. Section 76B-2 is similar to the previous section, except that
it elaborates on what is considered unauthorized access, as well as
establishing intent as a qualifying factor for prosecution. Section
76B-3 makes it a crime to continue to examine the data. Section 76C
deals with destruction, alteration, and impeding the data, while
Section 76D focuses more on the method of entry. Finally, Section 76E
provides punishment for those who specifically access a Commonwealth
computer, and proceed to alter or destroy data.

1993 basically marked the watershed year for the Australian Federal
Police Computer Crime Unit, the agency established to enforce the
Telecommunications Act. In that year, the computer ring was busted,
and six notorious hackers were put on trial in Australian Federal
Court. Of those six, the main four were eventually convicted and three
were sentenced to jail terms. Data King, the most notorious of the
four, was given the lightest sentence, even though he had done the
most damage when he hacked into such systems as the Australian
National University and the Australian Defense Forces. He, however,
was a minor and escaped with a fine and probation under Section 19A of
the criminal code. The others were not as lucky. Phoenix, who had
unwittingly fallen into a trap when he collaborated with a Federal
agent, received the harshest sentence, most notably a year in jail and
500 hours of community service. The other two, Electron and Nom, were
sentenced to six months in jail apiece, with 300 and 200 community
service hours respectively.

Still, despite all the attention and grief caused by this four, one
has to wonder whether the punishments they were levied were indeed
enough. After all, the crimes that this group committed could indeed
be considered exceptionally heinous and dangerous. Some the damage
done included installing a Wankworm in the computer system at the
Goddard Space Center which disrupted NASA operations, breaking into
Canada's Northern TeleCom and seriously disturbing company functions,
listening in on classified United States military communications on
its System X network, which could have meant disaster for a group of
US soldiers somewhere. Despite the magnitude of their crimes, however,
the judgments stood. In last twisted instance of justice, however,
Electron eventually became crazy following the trials, and was
committed to a mental hospital.

Israel

On January 29, 1992, four computer hackers, two adults, two minors,
were arrested in their Jerusalem home on a variety of computer crime
charges. Apparently, these four individuals, using personal computers
and inexpensive modems, had fraudulently obtained several confidential
passwords necessary to enter Isranet. Isranet is the national bank
computer network. >From there, they had broken into other
international computer services, and stolen data from foreign public
data banks, including personal credit card numbers and other
services. Their arrest was a combined effort between security officers
from Bezek, Israel's state controlled phone company, and the National
Fraud Squad.

The National Fraud Squad has official jurisdiction over Israel's
computer crime. Although backed by the force of law, unfortunately for
us, they have only one or two officers that are specifically assigned
to computer investigations, who are in charge of everything from
calling card fraud, to electronic bank embezzelers. Consequently busts
like the one described above are the exception, most of which occur
when Bezek gets involved. Simply put, the government and public
believe that computer hackers actually represent the smarter end of
the Israeli population. In general, the law enforcement has not as of
yet encountered any major problems with hackers that turn into
professional criminals and warrant extra attention. To the contrary.
Most Israeli hackers end up getting hired by the Israeli software
industry to make a rather lucrative living. Although hacker busts do
occur, they are very infrequent and usually result in charges being
dropped.

The only other computer crime of note that occurred in Israel was the
capture of Deri Schreibman, who was arrested and charged with
disseminating illegitimate credit cards to people in the United States
and Canada. Although it was widely rumored that he had also broken
into computer systems such as the Washington Post and the Pentagon,
lacking any legal backing, nothing ever came of his arrest. Although
hacking is sure to become a wider problem as network access grows in
Israel, as of yet the major computer crime epidemic has not found
their way to this corner of the globe.

China

In order to evaluate computer crime in China, it is absolutely
necessary to distinguish between mainland China and Hong
Kong. Although they are now ostensibly one and the same country, one
hundred fifty years of separation, and two radically different
governments, have undoubtedly left two very different societies in
their wake. They are divergent in every sense, from economic,
political, to technological. It is in fact this contrast of worlds
that is sure to prove the most interesting in the immediate years to
come.

Like many of its earlier actions, China does not seem to possess any
written law or code specifically outlining its computer crime
statutes. Instead, trials are held by the force of military law, and
harsh punishments are handed out, often in an execution style
manner. These cases, however, have been extremely rare and far
between, for in a report in WIRED magazine by Neal Stephenson, he
journeys deep into China to find out that the general Chinese
population have no real concept of the computers or the
Internet. Their idea of network are the network of spies during the
Cultural Revolution that were executed for espionage and treason. The
reason for this is not necessarily that China is unable to accept the
Internet's infrastructure, but more a play by the government to limit
what it considers treasonous propaganda from entering the
country. With the memories of Tiannamenn Square fresh in their minds,
they are understandably skeptical of this new technology which the
United States Supreme Court so eloquently called "the most democratic
of all mediums." They wish to limit outside contact with pro-democracy
and human rights groups, and thus, in conjunction with Singapore, are
busy building a structure that will be able to filter out undesired
content.

Nevertheless, the information age and computer crime is finding its
way in the largest country in the world. The first incident of a
computer crime as we know it, occurred in April of 1993, when Shi
Biao, an accountant at the Agricultural Bank of China's Jilin branch,
and his accomplice Yu Xilin, attempted to wire stolen money from Jilin
to a bank in Shenzhen. The two were accused, and hence convicted, of
invading the computers of the bank, and embezzeling almost
$192,000. Biao and Xilin were then executed for their crimes, setting
a strong precedent for future prosecutions. It would not be an
unrealistic assertion to believe that individuals in the future who
are caught on similar charges will be subject to the same form of
punishment.

The main incident involving computer crime in Hong Kong comes on the
heels of a raid conducted by the Police Commercial Crime Bureau (CCB)
and the Office of the Telecommunications Authority (OFTA). On March 6,
1995, agents of the CCB and OFTA shut down the servers of seven
Internet providers, cutting off thousands of customers, and severely
disrupting business transactions throughout Hong Kong. At the time of
the raid, OFTA had maintained that raids were part of a police
investigation into commercial crimes involving computer hacking,
violating portions of the Hong Kong Computer Crimes Ordinance of
1993. They claimed that because the servers were not licensed, they
could have facilitated the operations of criminal hacker groups, which
would violate the 1993 ordinance. However, all employees detained were
only questioned on charges of providing telecommunications without a
license, and other computer crime charges never arose again. In this
case, the raid was a complete mixup between the CCB and OFTA. The OFTA
had been conducting an investigation into the unlicensed servers, and
had already negotiated with the Internet providers over these
terms. The CCB, however, had claimed knowledge of computer crimes, and
thus, initiated the raid with full knowledge and help of the OFTA. The
tip on these crimes, however, had apparently come from an
international telecommunications provider, meaning that either Hong
Kong TeleCom or SuperNet had blown the whistle, possibly to take out
its competition. The most puzzling part of this whole affair is that
what this huge raid actually was a contention over was simple $700
licensing fee, an amount that clearly did not warrant such a drastic
response from the Hong Kong CCB. Whatever the case, either an innocent
miscommunications, or an effort subvert free speech, this raid proved
just how little many people understand the information superhighway in
Hong Kong.

The next couple years in the absorption of Hong Kong into China will
be very interesting, not only politically, but also in terms of the
Internet. In the Russian coupe of 1991, it was widely reported that
the reason the efforts of the hardline extremists failed was because
while they have taken control of the radio and television stations,
they had failed to account for other forms of communication, including
the Internet. As a result, reports of the coupe was disseminated
throughout Russia, and the coupe collapsed. It will be interesting to
see not only if China eventually legislates laws against computer
crime, as the mainland itself will undoubtedly become more integrated,
but also if it will impose the same punishments on the populace of
Hong Kong. There will undoubtedly come a point where China must
establish rules to regulate its burgeoning electronics and computer
industry. One can only hope that such legislation does not result in
the oppressive persecution of the population.

Denmark

In January of 1990, JubJub and Sprocket, two Danish high school kids
who were Denmark's first hackers, were busted after they were
discovered snooping around some of NASA's non public machinery. At
this point, however, Denmark, and really no European nation, had
passed any laws explicitly banning the hacking of computers. After
muddling around in the courts for a while, the two were given a
non-trial sentence of two years on probation, during which time they
were expressly forbidden to hack any computers. If arrested again,
they were warned, the case would go to trial and this time, a verdict
would be returned.

Ironically, it was the publicization of the case of Sprocket at JubJub
that spurred the growth of the hacker community in Denmark. To the
governments credit, however, it also marked the beginning of law
enforcement, as a man named Joergen Bo Madsen, a computer security
expert working for both the University of Copenhagen and the Danish
government began monitoring hacker activities off of the Institute of
Computer Science at Copenhagen University (DIKU). In the winter of
1991, Madsen came out of hiding and with assistance of the Danish
secret service, busted eleven hackers, including one Saron who had
racked up a large bill on a stolen credit card. This time, people were
prosecuted.

By December of 1993, the Inner Circle of Danish hackers, most of them
students at the University of Copenhagen, were history. The
university, fed up with students trying to break into theirs and other
computer systems worldwide, called in Madsen and imposed a crackdown
on all known hackers. Busted by the Danish police were scores of
individuals including Zephyr, Dixie, WedLock, Netrunner, Darkman, and
Le Cerveau. Some were placed in isolation before prosecutions, while
others were outright released. What became of these individuals is
unclear, other than the fact that one person, Joergen Bo Madsen,
secured Denmark's computer systems from internal threats.

Miscellaneous Countries

On January 4, 1996, the iWatch program, a part of the Network
Intrusion Detector package developed by Lawrence Livermore National
Laboratory, captured and issued warrants for the arrest of an
Argentine hacker who had been caught trying to break into the center's
computer network. Although no damage was done, this intrusion provided
proof that the problems or computer crime were spreading, even to the
far corner of the South American continent. Argentina is definitely
lagging when it comes to Internet and computer access, let alone
computer crime. Up to seven years ago, telephones themselves were an
expensive commodity, although things have improved with the
privatization of the phone monopoly into three direct
competitors. However, as networks that are up are now outdated, few
outsiders come into contact with Argentinian hackers, thus, the
problems of computer crime have not yet surfaced. Although the media
in Argentina has romanticized the concept of hackers and hacking, no
culture has developed yet to warrant such an interest. The government
has approached the hacker problem by severely restricting Internet and
BBS access, in hopes of forestalling the international wave of
computer crime.

In Switzerland, legislation was passed in 1993 banning hacking,
although no prosecutions have resulted as of yet from the
statute. There have been only two hacking incidents of note, and both
were resolved in a nonlegal manner. At the Swiss X.25 Network Telepac,
an employee had let out the usernames and passwords used by internal
employees to members of the hacker community. The information spread
like wildfire, and for two years all Swiss and some German hackers
used this information to make calls around the world until the system
was finally disconnected. The other incident involved an individual
who hacked into BAG (the Swiss equivalent of NIH) and had gained
access to material on patients of the institute. At this point,
however, no laws had been passed, so no prosecution was pursued.

The French have been curiously quiet on the international computer
scene, as few headlines have been made of the prosecution of computer
criminals. The reason for this is not the lack of laws or effective
hackers, however, but the fact that the French have actually
pioneering computer law enforcement in Europe. In 1988, the French
legislature passed laws making hacking illegal, and formed a Computer
Fraud Agency (DST) to deal with the matter. They have been fairly
effective in curbing computer crime as well as telecommunications
fraud. Their list of trophies include NICK, Hardcore Hackers, Piratel
and TeKila Underground. Part of computer law enforcement is made
easier by the fact that listed on Carte France Telecom's (France's
phone company) phone bill is a listing of a caller and a callee's
phone number, making the theft of calling cards to hack almost
useless. Thus, all they have to do to catch a hacker is find the
location of the phone call, making their job a lot easier.

Conclusion

As one can see, the computer crimes are a problem that are not just
limited to the United States. From highly integrated computer cultures
such as Great Britain and Canada, to lesser integrated countries, such
as Argentina and China, hackers from all over have found ways to
encourage the legislation of newer and better computer laws. As in any
case of legal issues, each nation has taken it up itself to establish,
within its culture, the boundaries of what it considers "fairplay"
over the Internet. What makes this situation different from all
previous criminal laws, however, is that the basic nature of the
Internet is that it knows no geographic or national
boundaries. Although countries such as Singapore and the People's
Republic of China are busily developing ways to regulate the Internet
within their borders, I believe that it will eventually go the way of
television and radio, where try as they might, it will ultimately be
extremely difficult to regulate Internet access using this
method. What makes this issue of international law more important and
relevant than in cases of drug trafficking or espionage, however, is
that attacks are often made from foreign soil for only minutes, maybe
even seconds. Not only is it currently difficult to trace, prosecute,
and reach a desired verdict, but if the case crosses many national
borders, it may be almost impossible to secure extradition or decide
which country deserves ultimate jurisdictional power over a given
case. The United Nations has already created a United Nations Crime
Prevention and Criminal Justice Programme to compile statistics and
mediate criminal disputes between countries. I believe it and other
programs must fulfill a similar with computer, in fact much more so,
in order to effectively combat this growing problem. One thing I did
notice, however, is that what is considered computer crime is fairly
consistent across many national borders. Therefore, much more so than
in other case, I feel there is hope in creating a set of standardized
international computer crime laws.